There's a lot of very obvious "didn't bother reading the article but I'm going to comment on the headline" behaviour in this thread.
FB users put their details on their publicly accessible FB, someone ran a scraper across FB for publicly accessible info and dumped it into an insecure elasticsearch cluster and a researcher found that cluster.
How is FB at fault there? I say this as someone who has colossal issues with that company in general.
Facebook have a history of making settings default to little or no privacy, making those settings obscure and difficult to set, and changing those settings and their defaults faster than most people can keep up. This data dump is the not at all surprising result of Facebook's policies.
> Diachenko believes the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence.
The only ones capable of preventing either the scraping operation or the API abuse would be Facebook. Scraping is an arms race, but I certainly don't trust Facebook to care about protecting my data, except where it would infringe on their ability to sell it. If it's "API abuse," that's definitely on Facebook to prevent.
This is like the Cambridge Analytica scandal: people allowed 3rd party apps to access their data and then they complain when, eh, they had their data.
Solution? Facebook closed the API. And now people complain that Facebook is a silo and they hold onto your data and they don't allow 3rd party apps to access it.
Just a reminder that Comparitech "pays" security researchers for "data breaches" and most likely encourages people to report these things to them without getting servers patched: https://twitter.com/securinti/status/1196850409924681728
No offense, but if you need to "pay" for your researcher, you're probably not that ethical and are most likely behind some intentional offensive hacking, so people can make money off your back.
To be it just sounds like they're offering a bespoke bounty programme.
If you can assume that they are reporting the exploits or breaches through the right channel, it might actually be more convenient for bounty hunters to have 1 place to funnel them all into.
If the Comparitech also make some profit off their reporting of the breaches then you can start to get an idea of where they're getting some funding from.
I am fine with this practice.. It incentivises more grey/white hat eyes on potential breaches. And in my book, thats never a bad thing.
Given how public they are about their methods and approach, I will give them the benefit of the doubt for now..
Facebook has fundamentally lost control of their infrastructure. It is insanity. There are now VPNs out of Hong Kong operating output of FB ASN space. I truly have never seen anything like this in my life.
At FB the morale has collapsed. The support forums and bug bounty submissions are piling up and have been for weeks.
FB cannot and will not act. It is a problem of leadership not engineering and I have tremendous respect for nearly all of the staff there.
That being said the fact that Facebook continues to ignore that servers in Vietnam are hosting what appears to be all 71 million records of the Vietnamese ppl is shocking. If you are a Muslim in Vietnam the information is shockingly detailed.
Isn't that actually another thing to worry about: what is going to happen to all this data when FB eventually goes bankrupt? Seems hard to believe they're just going to delete it from their servers...
As much as I hate Facebook, I can't really blame them for someone scraping data users decided to share publicly. When you publish data online available publicly it's normal and expected that someone can make a copy of it, either through manual data-entry or automated scraping.
The only question here is how were emails & phone numbers obtained and whether users were made aware that they would be available publicly.
> This will reduce the chances of your profile being scraped by third parties, but the only way to ensure it never happens again is to completely deactivate or delete your Facebook account.
Translation: the only way to have an account is to not have an account.
Yes and changing it is not easy. In particular securing it on AWS has reached totally preposterous levels. I am a Pro Architect Cert holder and I am routinely baffled by the docs there.
The author describes himself as: "TECH WRITER, PRIVACY ADVOCATE AND VPN EXPERT" (capitalization from source)
"...the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals..."
More cyber alarmism. What would these "VPN experts" say to a phone directory?
He goes on to describe how this was reported as abuse the service provider instead of notifying the owners of the DB.
Finally he concludes that users can manage their privacy settings from within Facebook. Thereby acknowledging that users can manage their data or have chosen to provide it publicly.
The cyber-alarmism trend from self appointed security experts has gone too far.
Zuckerberg: Yeah so if you ever need info about anyone at Harvard
Zuckerberg: Just ask.
Zuckerberg: I have over 4,000 emails, pictures, addresses, SNS
[Redacted Friend's Name]: What? How'd you manage that one?
Zuckerberg: People just submitted it.
Zuckerberg: I don't know why.
Zuckerberg: They "trust me"
Zuckerberg: Dumb fucks.
No no, you see it's the users fault for... uh... using a service promising to protect them?
Yes indeed putting information online you expect some level of privacy for was your fault, because someone posted on display for everyone to see. Mark is never at fault.
What this highlights is that it is damn simple to be a poor developer yet achieve a particular goal. You can brute force your way towards that goal, ignoring any sort of costly 'useless' security, usability or user privacy aspects. Even more so if you're a criminal. GDPR|CCPA < INTERPOL!
This is never going to end. This is true for criminal orgs but also legit businesses that despite regulations will mostly prioritize features to their customers over less tangible/monetizable value like hardened infrastructure and updated software.
Maybe I'm wrong and this cluster was left exposed for another reason, though.
I am so sick of getting nuisance calls that I just don’t answer numbers I don’t recognise or expect anymore (thanks OVH!). If someone leaks my phone number another time I’d still be pretty pissed off.
[+] [-] cmdshiftf4|6 years ago|reply
FB users put their details on their publicly accessible FB, someone ran a scraper across FB for publicly accessible info and dumped it into an insecure elasticsearch cluster and a researcher found that cluster.
How is FB at fault there? I say this as someone who has colossal issues with that company in general.
[+] [-] daddylonglegs|6 years ago|reply
I remember the Zuckerberg family being caught out by Facebook's settings over a photo and complaining when the photo spread: https://gizmodo.com/randi-zuckerberg-is-just-as-confused-by-...
[+] [-] davvolun|6 years ago|reply
The only ones capable of preventing either the scraping operation or the API abuse would be Facebook. Scraping is an arms race, but I certainly don't trust Facebook to care about protecting my data, except where it would infringe on their ability to sell it. If it's "API abuse," that's definitely on Facebook to prevent.
[+] [-] collyw|6 years ago|reply
[+] [-] dsypa|6 years ago|reply
Solution? Facebook closed the API. And now people complain that Facebook is a silo and they hold onto your data and they don't allow 3rd party apps to access it.
[+] [-] drywater|6 years ago|reply
[+] [-] cmdshiftf4|6 years ago|reply
Worse still, they used the numbers provided for ad targeting.
https://techcrunch.com/2018/09/27/yes-facebook-is-using-your...
[+] [-] ga-vu|6 years ago|reply
No offense, but if you need to "pay" for your researcher, you're probably not that ethical and are most likely behind some intentional offensive hacking, so people can make money off your back.
[+] [-] bilekas|6 years ago|reply
If you can assume that they are reporting the exploits or breaches through the right channel, it might actually be more convenient for bounty hunters to have 1 place to funnel them all into.
If the Comparitech also make some profit off their reporting of the breaches then you can start to get an idea of where they're getting some funding from.
I am fine with this practice.. It incentivises more grey/white hat eyes on potential breaches. And in my book, thats never a bad thing.
Given how public they are about their methods and approach, I will give them the benefit of the doubt for now..
[+] [-] rshnotsecure|6 years ago|reply
At FB the morale has collapsed. The support forums and bug bounty submissions are piling up and have been for weeks.
FB cannot and will not act. It is a problem of leadership not engineering and I have tremendous respect for nearly all of the staff there.
That being said the fact that Facebook continues to ignore that servers in Vietnam are hosting what appears to be all 71 million records of the Vietnamese ppl is shocking. If you are a Muslim in Vietnam the information is shockingly detailed.
http://125.212.244.27:9200/_cat/indices
[+] [-] thsealienbstrds|6 years ago|reply
[+] [-] layoutIfNeeded|6 years ago|reply
ELI5?
[+] [-] unnouinceput|6 years ago|reply
[+] [-] drywater|6 years ago|reply
[+] [-] Nextgrid|6 years ago|reply
The only question here is how were emails & phone numbers obtained and whether users were made aware that they would be available publicly.
[+] [-] square_usual|6 years ago|reply
[+] [-] rshnotsecure|6 years ago|reply
IP:9200/_search?q=myName
[+] [-] hurricanetc|6 years ago|reply
If you have an account your data has been in a leak.
[+] [-] meerita|6 years ago|reply
[+] [-] layoutIfNeeded|6 years ago|reply
[+] [-] smaili|6 years ago|reply
Translation: the only way to have an account is to not have an account.
[+] [-] marmshallow|6 years ago|reply
[+] [-] cm2187|6 years ago|reply
[+] [-] rshnotsecure|6 years ago|reply
[+] [-] aww_dang|6 years ago|reply
"...the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals..."
More cyber alarmism. What would these "VPN experts" say to a phone directory?
He goes on to describe how this was reported as abuse the service provider instead of notifying the owners of the DB.
Finally he concludes that users can manage their privacy settings from within Facebook. Thereby acknowledging that users can manage their data or have chosen to provide it publicly.
The cyber-alarmism trend from self appointed security experts has gone too far.
[+] [-] charlesism|6 years ago|reply
Billions of compromising documents, photos and personal details are now sitting around on the servers of a half dozen for-profit companies.
Only Equifax has given us a taste of what is in store.
Is the world prepared for the day when a trillion Gmail messages leak? Billions of personal camera-roll photos? Trillions of search history entries?
We needs to start taking these issues seriously.
[+] [-] Iv|6 years ago|reply
[+] [-] WilliamEdward|6 years ago|reply
Yes indeed putting information online you expect some level of privacy for was your fault, because someone posted on display for everyone to see. Mark is never at fault.
[+] [-] vassilyk|6 years ago|reply
This is never going to end. This is true for criminal orgs but also legit businesses that despite regulations will mostly prioritize features to their customers over less tangible/monetizable value like hardened infrastructure and updated software.
Maybe I'm wrong and this cluster was left exposed for another reason, though.
[+] [-] AltmousGadfly|6 years ago|reply
[+] [-] malux85|6 years ago|reply
[deleted]
[+] [-] onetimemanytime|6 years ago|reply
[+] [-] wetpaws|6 years ago|reply
[+] [-] cm2187|6 years ago|reply
[+] [-] inamberclad|6 years ago|reply
[0]: https://www.ncbi.nlm.nih.gov/pubmed/25742063